Re: Solaris, Sudo, and locking the root account
From: Eric Jon Rostetter (eric.rostetter@physics.utexas.edu)Date: 09/28/01
- Previous message: Geoff Collis: "RE: Solaris, Sudo, and locking the root account"
- In reply to: Gordon Ewasiuk: "Solaris, Sudo, and locking the root account"
- Next in thread: Fredrik Pettai: "RE: Solaris, Sudo, and locking the root account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Gordon Ewasiuk <gewasiuk@gnmc.net> Subject: Re: Solaris, Sudo, and locking the root account Message-ID: <1001702434.3bb4c422b23fd@mail.ph.utexas.edu> Date: Fri, 28 Sep 2001 13:40:34 -0500 (CDT) From: Eric Jon Rostetter <eric.rostetter@physics.utexas.edu>
Quoting Gordon Ewasiuk <gewasiuk@gnmc.net>:
> Hi All,
>
> What is the general feeling towards locking the root account on Solaris
> when using sudo?
My feeling is that it is more trouble than it is worth.
> We use sudo on Solaris everwhere and lock the root
> account. This forces all users to sudo -s for a root shell - BUT - after
> an abnormal shutdown, if a filesystem comes up dirty, it might need a
> manual fsck pass. This, of course, requires the root password to enter
> maint. mode.
Yes, for this and a few other rare cases, I would not lock the root account.
With good access control (no remote root logins, etc), good logging, and good
auditing, you should be able to track anyone as long as they can't login as
root. Locking the root account will not stop most root exploits since they
don't depend on the passwords, so it doesn't buy you a lot in break-in security.
My thoughts for those who want to secure the machine access are:
1) Allow root login only from secure, specific location(s) (e.g. console)
2) Only give the password to those who need to know (usually just one person)
3) Put the password in some form of escrow in case the person(s) knowing the
root password are run over by a bus.
4) Provide sudo for the other folks needed elevated access.
> I've got no problems booting from a CD, mounting the root FS, and
> unlocking/NP the root acct but a veteran sysadmin kinda looked at me funny
> when I explained it to him.
As long as there is someone always on duty with the knowledge/skill to do
this when the problem arises, or if you don't need to worry about uptime,
then this might work. But it sure is a pain!
> Is this a standard practice or making more trouble then it's worth?
I've not ever heard of this as standard practice, and IMHO it is more
trouble than it is worth. I just restrict root logins to the console (if
they have the console they can get in anyway), restrict the password to
myself, escrow the password for emergency cases, and let them eat sudo.
> TIA,
>
> -Gordon
>
> --------------------------------------------------
> Gordon Ewasiuk, Certifed Sun Fanatic, Winstar VHC
> The REAL office number is here-----> 703.893.4901
> Tired of BSODs, My Computer, and Code Red?
> http://www.sun.com/solaris/binaries/
> -------------------------------------------------
>
Eric Jon Rostetter
The Department of Physics
The University of Texas at Austin
Austin, Texas 78712-1081
Office: RLM 7.126
Telephone: 512-471-5821
Email: eric.rostetter@physics.utexas.edu
- Previous message: Geoff Collis: "RE: Solaris, Sudo, and locking the root account"
- In reply to: Gordon Ewasiuk: "Solaris, Sudo, and locking the root account"
- Next in thread: Fredrik Pettai: "RE: Solaris, Sudo, and locking the root account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
